isrstealer | 1db44426b666ece25c1b9341edefb81655a2dac2ea3016a8a4cd868742d1cc0e

Analysis

max time kernel
40s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Demurrage/Demurragefees.exe
Size

762KB
MD5

1c4dbd755e7ba59d2a4ce457f09f755b
SHA1

80b81ba84a6a507c241f5a99e34153fab47d3f0b
SHA256

3848e61897e3fbc185353a109e0de82164d50a00e1c793290ad7cfd53a9807b4
SHA512

55a509c9a3be54093b13409da0f7720932e5eb9fab3d6322bcdef0755584aff10224bc98b4ae3db68261900e9a56359416cc0cffde429c0d0cf09fdccd07c90d

Score

10^/10

isrstealer collection stealer trojan upx

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer Payload 5 IoCs

resource	yara_rule
behavioral3/memory/896-61-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral3/memory/896-63-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral3/memory/896-64-0x0000000000401180-mapping.dmp	family_isrstealer
behavioral3/memory/896-75-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer
behavioral3/memory/896-86-0x0000000000400000-0x0000000000442000-memory.dmp	family_isrstealer

NirSoft MailPassView 4 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral3/memory/2000-85-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral3/memory/2000-84-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral3/memory/2000-87-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView
behavioral3/memory/2000-88-0x0000000000400000-0x000000000041F000-memory.dmp	MailPassView

Nirsoft 4 IoCs

resource	yara_rule
behavioral3/memory/2000-85-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral3/memory/2000-84-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral3/memory/2000-87-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft
behavioral3/memory/2000-88-0x0000000000400000-0x000000000041F000-memory.dmp	Nirsoft

Executes dropped EXE 3 IoCs

pid	Process
896	svhost.exe
596	svhost.exe
2000	svhost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/memory/2000-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2000-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2000-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2000-84-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2000-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral3/memory/2000-88-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 3 IoCs

pid	Process
1500	Demurragefees.exe
896	svhost.exe
896	svhost.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 896	1500	Demurragefees.exe	30
PID 896 set thread context of 596	896	svhost.exe	31
PID 896 set thread context of 2000	896	svhost.exe	32

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1500	Demurragefees.exe
1500	Demurragefees.exe
1500	Demurragefees.exe
1500	Demurragefees.exe
1500	Demurragefees.exe
1500	Demurragefees.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	Demurragefees.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
896	svhost.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1840	1500	Demurragefees.exe	28
PID 1500 wrote to memory of 1840	1500	Demurragefees.exe	28
PID 1500 wrote to memory of 1840	1500	Demurragefees.exe	28
PID 1500 wrote to memory of 1840	1500	Demurragefees.exe	28
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 1500 wrote to memory of 896	1500	Demurragefees.exe	30
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 596	896	svhost.exe	31
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32
PID 896 wrote to memory of 2000	896	svhost.exe	32

C:\Users\Admin\AppData\Local\Temp\Demurrage\Demurragefees.exe
"C:\Users\Admin\AppData\Local\Temp\Demurrage\Demurragefees.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe"
  2⤵
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\wQZoocvH36.ini"
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\Users\Admin\AppData\Local\Temp\svhost.exe
    /scomma "C:\Users\Admin\AppData\Local\Temp\eWKY86j8FO.ini"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook accounts
    PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
1.6MB

MD5
32827e69b293b99013bbbe37d029245d

SHA1
bc9f80a38f09354d71467a05b0c5a82c3f7dac53

SHA256
9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f

SHA512
58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

Download Submit
memory/896-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-61-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-59-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-58-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/896-75-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1500-79-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/1500-55-0x0000000073FB0000-0x000000007455B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-84-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-88-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download